Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by tassos.gr
CVE-2026-48906 (GCVE-0-2026-48906)
Vulnerability from nvd – Published: 2026-05-27 09:11 – Updated: 2026-06-05 07:27
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
Summary
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tassos.gr | product |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Novarain/Tassos Framework (plg_system_nrframework) |
Affected:
1.0.0-6.0.1
|
|
| tassos.gr | Convert Forms |
Affected:
1.0.0-4.4.12
Affected: 5.0.0-5.1.5 |
|
| tassos.gr | EngageBox |
Affected:
1.0.0-6.3.11
Affected: 7.0.0-7.1.1 |
|
| tassos.gr | Google Structured Data |
Affected:
1.0.0-5.6.11
Affected: 6.0.0-6.1.9 |
|
| tassos.gr | Advanced Custom Fields |
Affected:
1.0.0-2.8.12
Affected: 3.0.0-3.1.3 |
|
| tassos.gr | Smile Pack |
Affected:
1.0.0-1.2.6
Affected: 2.0.0-2.1.0 |
|
| tassos.gr | Tassos Code Snippets |
Affected:
1.0.0
|
|
| tassos.gr | MailChimp Auto-Subscribe |
Affected:
1.0.0-5.0.5
Affected: 5.1.0-5.2.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T12:10:04.491382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:11:19.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Novarain/Tassos Framework (plg_system_nrframework)",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-6.0.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Convert Forms",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.12"
},
{
"status": "affected",
"version": "5.0.0-5.1.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EngageBox",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-6.3.11"
},
{
"status": "affected",
"version": "7.0.0-7.1.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Google Structured Data",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.6.11"
},
{
"status": "affected",
"version": "6.0.0-6.1.9"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-2.8.12"
},
{
"status": "affected",
"version": "3.0.0-3.1.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Smile Pack",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.2.6"
},
{
"status": "affected",
"version": "2.0.0-2.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tassos Code Snippets",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MailChimp Auto-Subscribe",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.0.5"
},
{
"status": "affected",
"version": "5.1.0-5.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Vallim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
}
],
"value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T07:27:40.844Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://tassos.gr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework \u003c 6.1.0 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48906",
"datePublished": "2026-05-27T09:11:40.231Z",
"dateReserved": "2026-05-26T10:06:17.656Z",
"dateUpdated": "2026-06-05T07:27:40.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21627 (GCVE-0-2026-21627)
Vulnerability from nvd – Published: 2026-02-20 14:22 – Updated: 2026-02-23 05:07
VLAI
EPSS
VEX
Title
Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
Summary
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tassos.gr | product |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Novarain/Tassos Framework (plg_system_nrframework) |
Affected:
4.10.14–6.0.37
|
|
| tassos.gr | Convert Forms |
Affected:
3.2.12–5.1.0
|
|
| tassos.gr | EngageBox |
Affected:
6.0.0–7.1.0
|
|
| tassos.gr | Google Structured Data |
Affected:
5.1.7–6.1.0
|
|
| tassos.gr | Advanced Custom Fields |
Affected:
2.2.0–3.1.0
|
|
| tassos.gr | Smile Pack |
Affected:
1.0.0–2.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:42:52.948106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:43:10.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Novarain/Tassos Framework (plg_system_nrframework)",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "4.10.14\u20136.0.37"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Convert Forms",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "3.2.12\u20135.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EngageBox",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "6.0.0\u20137.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Google Structured Data",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "5.1.7\u20136.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "2.2.0\u20133.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Smile Pack",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0\u20132.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "p1r0x / ssd-disclosure.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
}
],
"value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T05:07:12.296Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://tassos.gr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-21627",
"datePublished": "2026-02-20T14:22:14.744Z",
"dateReserved": "2026-01-01T04:42:27.960Z",
"dateUpdated": "2026-02-23T05:07:12.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22212 (GCVE-0-2025-22212)
Vulnerability from nvd – Published: 2025-03-05 15:15 – Updated: 2025-03-14 22:58
VLAI
EPSS
VEX
Title
Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla
Summary
A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.tassos.gr/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.9
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T15:57:16.403725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T15:57:19.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_convertforms",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
}
],
"value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T22:58:30.568Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22212"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22212",
"datePublished": "2025-03-05T15:15:51.874Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-03-14T22:58:30.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40745 (GCVE-0-2024-40745)
Vulnerability from nvd – Published: 2024-12-04 15:02 – Updated: 2024-12-25 04:34
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla < 4.4.8
Summary
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.tassos.gr/joomla-extensions/convert-forms | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.7
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:49:50.442949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:50:14.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Horizon Security\u2019s Offensive Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:34:24.527Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/joomla-extensions/convert-forms"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla \u003c 4.4.8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40745",
"datePublished": "2024-12-04T15:02:05.517Z",
"dateReserved": "2024-07-09T16:16:21.864Z",
"dateUpdated": "2024-12-25T04:34:24.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40744 (GCVE-0-2024-40744)
Vulnerability from nvd – Published: 2024-12-04 15:01 – Updated: 2024-12-25 04:34
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8
Summary
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.tassos.gr/joomla-extensions/convert-forms | product |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.7
|
|
| tassosgr | convert_forms |
Affected:
1.0.0 , < 4.4.8
(custom)
cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\!:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\\!:*:*"
],
"defaultStatus": "unknown",
"product": "convert_forms",
"vendor": "tassosgr",
"versions": [
{
"lessThan": "4.4.8",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T17:04:35.515167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:27:11.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Horizon Security\u2019s Offensive Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:34:33.216Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/joomla-extensions/convert-forms"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla \u003c 4.4.8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40744",
"datePublished": "2024-12-04T15:01:50.739Z",
"dateReserved": "2024-07-09T16:16:21.863Z",
"dateUpdated": "2024-12-25T04:34:33.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-48906 (GCVE-0-2026-48906)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:11 – Updated: 2026-06-05 07:27
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
Summary
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tassos.gr | product |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Novarain/Tassos Framework (plg_system_nrframework) |
Affected:
1.0.0-6.0.1
|
|
| tassos.gr | Convert Forms |
Affected:
1.0.0-4.4.12
Affected: 5.0.0-5.1.5 |
|
| tassos.gr | EngageBox |
Affected:
1.0.0-6.3.11
Affected: 7.0.0-7.1.1 |
|
| tassos.gr | Google Structured Data |
Affected:
1.0.0-5.6.11
Affected: 6.0.0-6.1.9 |
|
| tassos.gr | Advanced Custom Fields |
Affected:
1.0.0-2.8.12
Affected: 3.0.0-3.1.3 |
|
| tassos.gr | Smile Pack |
Affected:
1.0.0-1.2.6
Affected: 2.0.0-2.1.0 |
|
| tassos.gr | Tassos Code Snippets |
Affected:
1.0.0
|
|
| tassos.gr | MailChimp Auto-Subscribe |
Affected:
1.0.0-5.0.5
Affected: 5.1.0-5.2.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T12:10:04.491382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:11:19.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Novarain/Tassos Framework (plg_system_nrframework)",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-6.0.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Convert Forms",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.12"
},
{
"status": "affected",
"version": "5.0.0-5.1.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EngageBox",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-6.3.11"
},
{
"status": "affected",
"version": "7.0.0-7.1.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Google Structured Data",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.6.11"
},
{
"status": "affected",
"version": "6.0.0-6.1.9"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-2.8.12"
},
{
"status": "affected",
"version": "3.0.0-3.1.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Smile Pack",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.2.6"
},
{
"status": "affected",
"version": "2.0.0-2.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tassos Code Snippets",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MailChimp Auto-Subscribe",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.0.5"
},
{
"status": "affected",
"version": "5.1.0-5.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Vallim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
}
],
"value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T07:27:40.844Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://tassos.gr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework \u003c 6.1.0 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-48906",
"datePublished": "2026-05-27T09:11:40.231Z",
"dateReserved": "2026-05-26T10:06:17.656Z",
"dateUpdated": "2026-06-05T07:27:40.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21627 (GCVE-0-2026-21627)
Vulnerability from cvelistv5 – Published: 2026-02-20 14:22 – Updated: 2026-02-23 05:07
VLAI
EPSS
VEX
Title
Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
Summary
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tassos.gr | product |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Novarain/Tassos Framework (plg_system_nrframework) |
Affected:
4.10.14–6.0.37
|
|
| tassos.gr | Convert Forms |
Affected:
3.2.12–5.1.0
|
|
| tassos.gr | EngageBox |
Affected:
6.0.0–7.1.0
|
|
| tassos.gr | Google Structured Data |
Affected:
5.1.7–6.1.0
|
|
| tassos.gr | Advanced Custom Fields |
Affected:
2.2.0–3.1.0
|
|
| tassos.gr | Smile Pack |
Affected:
1.0.0–2.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:42:52.948106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:43:10.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Novarain/Tassos Framework (plg_system_nrframework)",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "4.10.14\u20136.0.37"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Convert Forms",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "3.2.12\u20135.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EngageBox",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "6.0.0\u20137.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Google Structured Data",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "5.1.7\u20136.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "2.2.0\u20133.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Smile Pack",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0\u20132.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "p1r0x / ssd-disclosure.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
}
],
"value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T05:07:12.296Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://tassos.gr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2026-21627",
"datePublished": "2026-02-20T14:22:14.744Z",
"dateReserved": "2026-01-01T04:42:27.960Z",
"dateUpdated": "2026-02-23T05:07:12.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22212 (GCVE-0-2025-22212)
Vulnerability from cvelistv5 – Published: 2025-03-05 15:15 – Updated: 2025-03-14 22:58
VLAI
EPSS
VEX
Title
Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla
Summary
A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.tassos.gr/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.9
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T15:57:16.403725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T15:57:19.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_convertforms",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
}
],
"value": "A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission management area in backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T22:58:30.568Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22212"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - SQL injection in Convert Forms component version 1.0.0-1.0.0 - 4.4.9 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22212",
"datePublished": "2025-03-05T15:15:51.874Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-03-14T22:58:30.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40745 (GCVE-0-2024-40745)
Vulnerability from cvelistv5 – Published: 2024-12-04 15:02 – Updated: 2024-12-25 04:34
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla < 4.4.8
Summary
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.tassos.gr/joomla-extensions/convert-forms | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.7
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:49:50.442949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:50:14.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Horizon Security\u2019s Offensive Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"value": "Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:34:24.527Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/joomla-extensions/convert-forms"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla \u003c 4.4.8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40745",
"datePublished": "2024-12-04T15:02:05.517Z",
"dateReserved": "2024-07-09T16:16:21.864Z",
"dateUpdated": "2024-12-25T04:34:24.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40744 (GCVE-0-2024-40744)
Vulnerability from cvelistv5 – Published: 2024-12-04 15:01 – Updated: 2024-12-25 04:34
VLAI
EPSS
VEX
Title
Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8
Summary
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.tassos.gr/joomla-extensions/convert-forms | product |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| tassos.gr | Convert Forms component for Joomla |
Affected:
1.0.0-4.4.7
|
|
| tassosgr | convert_forms |
Affected:
1.0.0 , < 4.4.8
(custom)
cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\!:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tassosgr:convert_forms:*:*:*:*:*:joomla\\!:*:*"
],
"defaultStatus": "unknown",
"product": "convert_forms",
"vendor": "tassosgr",
"versions": [
{
"lessThan": "4.4.8",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T17:04:35.515167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:27:11.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "Convert Forms component for Joomla",
"vendor": "tassos.gr",
"versions": [
{
"status": "affected",
"version": "1.0.0-4.4.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Horizon Security\u2019s Offensive Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"value": "Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:34:33.216Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.tassos.gr/joomla-extensions/convert-forms"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla \u003c 4.4.8",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40744",
"datePublished": "2024-12-04T15:01:50.739Z",
"dateReserved": "2024-07-09T16:16:21.863Z",
"dateUpdated": "2024-12-25T04:34:33.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}